ESXi Host DomainMembershipStatus Shows "Not OK" Intermittently and Domain User Login Are Slow or Fail
search cancel

ESXi Host DomainMembershipStatus Shows "Not OK" Intermittently and Domain User Login Are Slow or Fail

book

Article ID: 417358

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

A recurring issue has been observed where some ESXi hosts intermittently report the DomainMembershipStatus as "Not OK". This results in failed or extremely slow logins for domain users, while local user logins continue to work normally.

The issue is temporarily resolved by navigating to vCenter > Host > Configure > Authentication Services and rejoining or refreshing the domain configuration. However, the problem reappears after some time.

This behavior has been observed across multiple environments and versions since ESXi 6.x and continues intermittently with no clear pattern among hosts.

Symptoms

  • DomainMembershipStatus intermittently shows "Not OK"

  • Domain user logins to the ESXi host fail intermittently

  • SSH login using domain credentials takes 3–4 minutes after reconfiguration

  • Operations involving domain users are significantly slower than local accounts

  • Issue reoccurs randomly across different hosts

  • NSLookup and Telnet to domain controllers succeed

Environment

ESXi 8.x

Cause

From the ESXi host logs (/var/log/syslog.log), multiple LDAP and CLDAP errors were identified, indicating connectivity problems to certain Domain Controllers (DCs):

lwsmd[xxxxx]: Failed on LDAP simple bind (Error code: 40286)
lwsmd[xxxxx]: [netlogon] Found DC <DC_name> (IP>) where LDAP port 389 is not accessible.
lwsmd[xxxxx]: [netlogon] CLDAP ping to cached DC <DC_name> (IP>) failed, new DC will be looked up

This indicates that the ESXi host is attempting to communicate with a Domain Controller that is either unreachable or has port 389 (LDAP) blocked. When the host cannot establish communication, domain authentication requests fail or experience long delays while retrying alternate DCs.

The intermittent DomainMembershipStatus: Not OK occurs due to network reachability issues with one or more Domain Controllers.
Specifically, the log entry below confirms that LDAP port 389 on the DC is not accessible:

This leads the ESXi host’s Likewise (lwsmd) service to retry multiple DCs, causing domain membership to report “Not OK” and logins to become slow or fail.
 

When a DC becomes unreachable or slow to respond, ESXi blacklists it temporarily, then attempts to locate another DC. This retry process leads to slow or failed domain logins.

 

Resolution

Contact the network team to investigate connectivity issues with the affected Domain Controllers (LDAP port 389).

If a Domain Controller is unreachable, the ESXi host cannot complete LDAP binds, resulting in failed or slow domain logins.
Since the problem occurs intermittently and only affects domain authentication, this confirms a network-related issue impacting communication with one or more DCs.

Powered by Wolken Software